Vocal Voices

[Suff]

Also known as ShellShock is a bug in a basic part of the Linux/Unix operating systems. It allows malicious programs to invade your computers and then set up attacks on other computers, essentially opening your security like a can opener.

What does it mean to "You"?

You might think that this is just some technical thing which you don't need to worry about. But, this time, unlike heartbleed, you'd be wrong. This bug has been categorised as a 10. Or otherwise "Catastrophic" to all Unix style devices, connected to the internet.

So what does that mean to you in reality? Let's try and identify the devices at risk.

All Mac computers
All Linux computers
Some Windows computers if they have Unix compatible services on them.
All iPhones
All iPod's
All iPad's
The iWatch when it ships
Pretty much every Android phone
All the Android tablets
All Kindles and Kindle fire's
Every other ebook reader which uses Android or Linux (like my Nook)
Every Camera which has a wireless connection
Apple TV
All other streaming media boxes such as WD TV Live (including my Netgear NeoTV350 which is now impossible to upgrade without netgear support. Which they won't give.)
Wireless connected fridges/freezers/washing machines
Networked printers
Most internet modems whether they are wifi or not

Pretty much anything which runs an X operating system and connects to the internet.

What can you do? Well, in short, pretty much nothing right now until manufacturers have started getting patches and updates out there, but there are a few things you can do.

Turn off wifi if you don't need it.
Don't install any apps which you cannot absolutely verify
Be careful where you browse and absolutely do not go to places which look even in the slightest part dodgy
Get some security/AV/Firewall on the device. I got my Symantec mobile package from ebay for around £20 and it is a family license, every android or apple device I have.

Why did they release it now before everyone is ready to patch?

I was talking to #3 son today and he works for a company which hosts 1,500 websites on Linux. They have already detected attempts to take over their sites using this bug.

I suggest everyone is just a touch more careful right now until the patches start to come out and then patch everything in sight. Go checking your manufacturer support and ask the question. They will probably have Q&A on their support sites pretty soon for those who need to know.

I have 2 Android phones, multiple routers and one ebook reader. One android phone already has security, the other is off for the foreseeable future. Mrs S will have her iPad security installed this weekend.

[Nanna]

You've got me worried now. I always thought that Macs were reletively secure. What iPad security are you installing on your wife's iPad?

[Suff]

I bought the Norton Mobile Security from ebay. You have to be careful there and watch the comments for Scammers as there are quite a few. The whole package is normally about £60 and I paid, I think, around £20.

This is not really about Apple as such. They are using a program that is more than 30 years old and the problem has existed for about 23 years. They just inherited it. What it comes down to is how fast Apple will send out a patch and which versions of the OS they will patch. For instance some of the older iPads (2 etc), won't be able to run iOS7 or 8. Ditto really early iPhones.

Whilst this is a really critical flaw, the main thing is to be really vigilant right now. The main issue with this flaw is that just about every piece of technology which is computerised and is not Windows, runs some version of Linux. If it connects to the internet, then it's at risk. I should have included just about every Set top box, every freeview recorder and every freesat recorder which connects to the Internet. If they are not needed to be networked then they should not be until the firmware is updated.

[Suff]

More info

It's moving quite quickly.

However I'm a bit taken aback at the independent article. First indications are that it will use web servers to attack as that is a known entry point. But the point here is that virtually any machine which uses Bash will be at risk eventually. Especially phones and tablets which are habitually not hidden behind a firewall.

Interesting was the advice not to use online payments in the near term. That's going to hurt...

[Nanna]

Thanks Suff but that's gone right over the top of my head

[Suff]

I bought Norton Mobile secuirity.

You might want to look at Lookout. Norton is not for everyone and I use it because I know the software and I know it's capabilities and the downsides.

[Workingman]

The Linux community has always been a bit "superior" when it comes to their systems being attacked. The myth that Linux/Unix systems were naturally secure has been blown out of the water.

[Suff]

They have.

The next part is horrendously technical and for WM and anyone who can keep up.

I've just been kicking this around with #1 son. Almost every ADSL router on the planet has a Linux OS and a website to manage it which uses CGI.

So when we kicked this around we decided that the biggest threat to people is Windows malware which infects the router and changes the DNS provider.

That's just ONE implication. It's going to be incredibly huge until we get everything fixed. I don't think manufacturers have even thought about how they are going to catch up.

For instance my NeoTV350 has telnet open with a blank root password and a website with a CGI script and I can't close it down. All the security is read only written into the firmware which boots from a single squashfs image file mounted on boot. Netgear are never going to patch it as they will have to issue a new firmware.

Then what about all those x year old routers where the company has gone out of business or they were made in china by dodgygarageproductions.com?

I can't see x million people going out and buying new routers because of a bug they can't fix. But if they don't, they open themselves up to every single thing they type or do being read by someone malicious.....

This is the first and only time I've been glad that I have an Orange Livebox where France Telecom have the admin account and do the patching..... Now I have to go away and have a long hard think about what hardware I have and how I have to secure it. I've got at least two machines which I've removed the AV from in the last two months which I will need to redeploy and at least one other which I don't think I have AV for.

Plus my new Windows8.1 phone doesn't seem to have any AV available.....

It's going to be a long weekend.

[Workingman]

People in general are warned to be secure. For that they are told that as a minimum they need a firewall and anti-virus, and to password protect their WiFi network. Just about everyone, everywhere, does all of that..... thank goodness. However.......

I wonder how many people are out there who have never, ever, changed the router password, typically username: admin, password: admin. They probably will not have even looked at is because nobody has ever told them to.

[Suff]

My concern too. So if people open malware which attacks the router, there is a really good chance that their router is going to be attacked, successfully if it's not patched for the Bash bug.

The only possible defense for pepole who aren't able to change their router password (or worse upgrade the firmware), is to have a comprehensive protection suite which ensures that no virus or worm is able to exploit it.